You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Vulnerability Exploitability eXchange (VEX) is a form of a security advisory where the goal is to communicate the exploitability of components with known vulnerabilities in the context of the product in which they are used.
Security scanners will detect and flag components in software that have been identified as being vulnerable. Often, software is not necessarily affected as signaled by security scanners for many reasons such as: the vulnerable component may have been already patched, may not be present, or may not be able to be executed. To turn off false alerts like these, a scanner may consume VEX data from the software supplier.
vet is a tool intended to identify OSS dependencies and subsequently identify risks in such dependencies using configured policies. While generating SBOM is not an absolute requirement, vet can do that using its data model.
From a user's perspective, it may be useful to continuously generate SBOM using vet and maintain an inventory of SBOMs associated with each release of a software component. This may also be useful in audit use-cases, where an auditor persona uses vet to generate an SBOM for an application which in turn is used for risk assessment.
In this context, it may be very useful for such user persona to generate VEX statements to associate additional information with the vulnerabilities / risks identified by vet and included in SBOM. Particularly, vulnerabilities can be marked as fixed or not applicable as required.
User Experience
More thought and user survey is required to define this. But at a high level, it should be:
Create an YAML document with issues to be marked as fixed / NA etc. with justifcation
Ingest the YAML document during SBOM building phase to auto-generate VEX statements in SBOM
What is VEX
https://cyclonedx.org/capabilities/vex/
Why do we need VEX
https://github.com/openvex/spec#about-vex
VEX in
vet
Contextvet
is a tool intended to identify OSS dependencies and subsequently identify risks in such dependencies using configured policies. While generating SBOM is not an absolute requirement,vet
can do that using its data model.From a user's perspective, it may be useful to continuously generate SBOM using
vet
and maintain an inventory of SBOMs associated with each release of a software component. This may also be useful in audit use-cases, where an auditor persona usesvet
to generate an SBOM for an application which in turn is used for risk assessment.In this context, it may be very useful for such user persona to generate VEX statements to associate additional information with the vulnerabilities / risks identified by
vet
and included in SBOM. Particularly, vulnerabilities can be marked as fixed or not applicable as required.User Experience
More thought and user survey is required to define this. But at a high level, it should be:
Reference
The text was updated successfully, but these errors were encountered: